Bugtraq mailing list archives
Re: syslog/udp
From: jhawk () panix com (John Hawkinson)
Date: Wed, 23 Feb 1994 06:55:21 -0500 (EST)
From: Dave Hayes <dave () elxr Jpl Nasa Gov>
Cc: no-more-secrets () primus COM, bugtraq () crimelab com
^^^^^^^^^^^^^^^^^^^^^^^^^^ What is that, btw?
Tim Newsham <newsham () uhunix uhcc hawaii edu>
If you are running syslogd on your machine and you dont receive remote logging to that machine you should probably consider removing the remote function of the program.
If this is not an option (because your terminal servers, routers, widgets, all log to your loghost with udp syslog), you should certainly consider screening syslog (514/udp) at your router, anong with NFS and related things. There's no reason for you to have to syslog across the 'Net.
Besides being another possible security risk a person may easily corrupt your audit logs though this port. It is quite easy to send fake messages to the syslogd at any facility and level. An
What exactly is the problem?
The problem is that syslogd will accept any message from anywhere on the net. If you have to accept messages from your local net, this fix is not useful -- if you're only logging things on your local machine (i.e. all programs logging are using syslog(3)), then you can disable logging over UDP.
How can we, who are without source code, change this behavior?
You can get the Berkeley syslogd code, which is in all likelyhood compatible with your current syslogd. Actually, thinking about syslogd I have a few questions: 1) What's the susceptibility of it to UDP-dropping? If someone's going to do something they don't want logged, how easy will it be to flood the net with packets and make your loghost drop the packet-in-question. How easy without root? :-) 2) Is your syslogd running out of file descriptors? The last time I ran syslogd with -d (debug), it seemed there were only 4 left. Perhaps this is a SunOS peculiarity, but I suspect I'll have to use the BSD syslogd soon, anyway, just because I need to log more stuff... -- John Hawkinson jhawk () panix com
Current thread:
- syslog/udp Tim Newsham (Feb 20)
- <Possible follow-ups>
- Re: syslog/udp Dave Hayes (Feb 22)
- Re: syslog/udp John Hawkinson (Feb 23)
- Security problem in C news and INN Featherlace (Feb 23)
- Re: Security problem in C news and INN Casper Dik (Feb 24)
- Re: Security problem in C news and INN Perry E. Metzger (Feb 24)
- Re: syslog/udp John Hawkinson (Feb 23)
- Re: syslog/udp scott () santafe edu (Feb 23)
- Re: syslog/udp Tim Newsham (Feb 23)
- Re: syslog/udp Julian Assange (Feb 23)
- daemon() Jim Wright (Feb 24)
- Thanks! Dave Hayes (Feb 23)